Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| check_ip | Look up threat intelligence for an IP address. Returns risk score, geolocation, ASN, malware C2 associations, active GhostWatch staging clusters, Tor exit status, and data sources. Use this when investigating a suspicious IP from a log, alert, or report. Args: ip: IPv4 or IPv6 address to look up (e.g. 45.141.26.73) |
| check_cve | Look up a CVE — exploitation status, KEV listing, EPSS score, and available exploits. Returns CVSS score, severity, EPSS probability, whether it's in the CISA Known Exploited Vulnerabilities catalog, exploit availability, and KEV Oracle prediction data. Use this to assess patch urgency for a specific vulnerability. Args: cve_id: CVE identifier (e.g. CVE-2024-3400 or CVE-2021-44228) |
| check_domain | Look up threat intelligence for a domain. Returns DNS records, WHOIS age, certificate transparency data, malware associations, and threat feed cross-references. Use this when investigating a suspicious domain. Args: domain: Domain name to look up (e.g. example.com) |
| check_hash | Look up a file hash to check if it's known malware. Checks against VirusTotal (68+ AV engines) and CIRCL hashlookup (6.3 billion known files). Returns malware family, detection count, and file metadata. Use this when investigating a suspicious file. Args: file_hash: MD5, SHA1, or SHA256 hash of the file |
| active_threats | Get a snapshot of current live threat intelligence. Returns database freshness, top statistics: KEV count, active C2s, ransomware victims, exploits, and when data was last updated. Use this for a quick situational awareness check. |
| predict_kev | Get KEV Oracle predictions — CVEs most likely to be added to CISA KEV soon. Scores unpatched CVEs by EPSS, exploit availability, ransomware association, and in-the-wild exploitation. Returns the top predicted CVEs ranked by likelihood of CISA KEV addition. Use this for proactive patch prioritization. Args: limit: Number of predictions to return (default 10, max 25) |
| check_staging | Check if an IP or domain is associated with a GhostWatch pre-attack staging cluster. GhostWatch detects infrastructure being staged for attacks before it's weaponized — the quiet window when attackers spin up C2s, register domains, and issue certs. Returns cluster details, confidence score, signal count, and AI threat assessment. Args: indicator: IP address or domain to check for staging activity |
| check_ransomware | Look up ransomware group activity or check if a company has been a victim. Search by ransomware group name (e.g. 'LockBit', 'BlackCat') or company/domain name to check victim feeds. Returns group stats, recent victims, and target industries. Args: query: Ransomware group name OR company name / domain to check |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |